1. Abstract
The target detection task has always been one of the most popular research directions in computer vision. At the same time, its wide application in the fields of monitoring and automatic driving also puts forward higher requirements for its safety. However, current adversarial defense methods still focus on the basic classification tasks, and the object detection problem that brings together the two tasks of classification and localization is still blank. Simply put, the target detection problem (classification + positioning) can be seen as a generalization of the classification problem. This paper provides an initial exploration of the research on "Adversarial Robust Object Detection".
Writing ideas:
(1) Firstly, the existing object detectors are reviewed, and some recently proposed attack strategies are systematically analyzed from the perspective of model robustness.
(2) It is proposed to look at the target detection task from the perspective of multi-task learning, and it has been verified theoretically and experimentally that the role of character loss is not symmetrical (not consistent or equal) (3) Further, a confrontational learning method is proposed, which can use
multiple attack sources to improve the robustness of the detection model.
2. Introduction
Adversarial examples: Give the original sample a small perturbation that is visually imperceptible, causing the classifier to generate wrong predictions.
Article contributions:
(1) Classify and analyze different attacks on object detectors, explaining the basic mechanisms they share
(2) Focus on the interaction between different task losses and their impact on robustness
(3) Extend the adversarial training framework from classification tasks to detection tasks, and propose an adversarial training method that can solve the mutual interference between loss functions of different tasks
3. Related Work
3.1 Attacks and Adversarial Training for Classification (attacks and adversarial training on classification tasks)
Two representative (white-box) attack methods:
- Fast gradient sign method (FGSM)
- Projective Gradient Descend (PGD)
Defense methods against adversarial attacks:
- denoising
- gradient confusion
- Adversarial training : refers to the robust model whose training goal is to optimize the min-max problem. The maximization goal of the inner layer is to generate attacks according to the model parameters, and the minimization goal of the outer layer is the training loss
- wait
3.2 Object Detection and Adversarial Attacks. (target detection and adversarial attacks)
There are single-stage methods and two-stage detection methods for object detection tasks. The second stage of the latter is actually to refine the results of the first stage one or more times.
Therefore, a single-stage object detector is very important, and single-stage object detection is also the research object of this paper.
In addition, the current attack methods often do not perturb the entire image, but are limited to a local area.
3. Object Detection and Attacks Revisited (review of object detection, and the relationship between variant attack methods)
3.1 Object Detection as Multi-Task Learning (multi-task learning perspective to see target detection - actually refers to the composition of the loss function)
Task (optimization) goal: take the samples sampled on the data set D, and minimize the expectation of the loss function of the predicted value after it is put into the model f
We throw away mathematical expectations, not generality, while avoiding notational clutter:
In practice, we describe the optimization objective of this problem as a combination of loss functions for classification and localization:
3.2 Detection Attacks Guided by Task Losses (detection attacks guided by task losses)
Looking at various attacks on target detection from the perspective of multi-task learning, we found a commonality: they can all be understood as variants that achieve different task losses or their combinations
This provides ideas and basis for understanding and comparing different attacks in target detection.
In this way, different attack methods can be classified:
it can be seen that the categories of their loss functions are different.
Why can different loss functions (for a single problem) be used to generate attack samples for object detection (combining two problems)? The following are two views on "the effectiveness of a single task loss in an overall attack":
- Classification and positioning tasks have a part of the shared network, so the two tasks set up on the base net should have some shared shortcomings that can be attacked
- The two subsequent tasks of base net each have their own branches, but in the end they used NMS in the test phase to realize the coupling between the two branches. In the process of cutting redundant predictions, the two tasks will be affected at the same time (— —Structure reverses the function)
No matter how the attack is optimized and how the components are combined, without an understanding of the role (or role played) of the individual components in the robustness of the model, the path is always unclear
If we make this clear, then our own robust training method for object
detectors is ready to come. This is exactly what our fourth chapter is thinking about.
4 Towards Adversarially Robust Detection (advancing against robust detection)
4.1 The Roles of Task Losses in Robustness (the role of task loss in model robustness)
Because the two tasks share a base net, even if the input image is operated according to a single task, the two tasks will inevitably affect each other. The following is an analysis of the role of task loss in model robustness from several perspectives.
-
Interaction between task losses: One experience is that different tasks have interplay, and adversarial examples for one task can also negatively affect the performance of the model on other tasks.
To illustrate this point, we study the two tasks separately, and marginalize the other task, that is, only focus on the classification (localization) task, and simplify it into a multi-label classification problem (category-independent object detection problem).
In order to better compare the effects, we export the detection output of the network before NMS processing for recording. The experiment is implemented based on the single-step PGD method with a radius of 8, and the results are shown in Fig. 3(a). The criterion for selecting a candidate as a foreground is to calculate the IoU (accuracy rate) with the gt mark, which is greater than the threshold of 0.5, and it is considered to be similar to the clean sample on the two tasks.
A kind of attack transfer between different tasks can be observed in the experimental results. This can also be used as an experimental proof that "adversarial examples generated by loss functions designed for a single task can effectively attack target detectors". -
Task gradient misalignment: The gradients of the two tasks have similar optimization directions to some extent, but they are not completely consistent, which leads to task gradient misalignment, which may interfere with subsequent confrontation training. To verify this, a scatterplot of the gradient is plotted for the classification task and the localization task, namely Fig. 3(b). Observations:
(1) Gradients vary in different magnitudes across tasks—a potential imbalance between task losses.
(2) The directions of the gradients of different tasks are inconsistent - there may be conflicts in the task gradients (optimization directions).
Delineate the maximum gradient range within each task for different tasks, as shown in Figure 4, showing that the two task domains are not completely separated into two unrelated clusters, which supports the previously proposed "mutual influence between tasks" Ideas and experimental observations.
At the same time, it can also be seen that there is a large part of the non-overlapping domain, which indicates the misalignment and conflict between the gradients of the two tasks.
4.2 Adversarial Training for Robust Detection (introduction method: robust detection against training)
Optimization objective: For robust object detection training, set the definition domain as the union of classification task domain and localization task domain
Including
Several differences between "adversarial training for robust detection" and "adversarial training for traditional classification problems" (in other words, how can we generalize the network for classification problems to the network for detection problems?):
- multi-task sources for adversary training (multiple task sources in confrontation training), reflected in: (1) large number - there are multiple detection targets (2) heterogeneity - classification tasks and positioning tasks.
Implements multiple sources of supervision in the face of adversarial generation and training, thus enabling generalization of adversarial training methods for classification problems - task-oriented domain constraints (task-oriented domain constraints): Traditional adversarial training methods set a task-independent domain constraint Sx, while we use task-oriented robust training for detection problems. The domain constraints of
, which set the feasible domain to be the set of images that either maximize the loss for the classification task, or maximize the loss for the localization task. The adversarial examples used for final training are the instances with the largest overall loss in the set. The advantage of using the above task domain constraints is that we are better able to generate adversarial examples guided by each
(or separate, individual) task without considering the interference between each task .
When we expand the task domain to Sx, expand the scope of the bbox to the entire image and set a separate category label for each image, this degenerates into the setting of the classification problem